Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version): nginx - reverse proxy
The operating system my web server runs on is (include version): unbuntu 20.04
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
on my iphone, i have chrome and firefox. When browsing my website (rickscs.com), I get a cert error. on the same device, safari says the cert is good. Desktop browsers in windows also show the cert good. There are many domains going through this proxy server and all the others show good in chrome on my phone. only the one domain has this issue...
can you try nginx -T (captal T)
you site doesn't reply on https at all, openssl s_client to your site says it didn't sent anything for TLS handshake.
tcp looks open though. maybe nginx passthough tls but nothing behind that proxy?
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 303 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
Note the warning for TLS 1.2. It means a browser that uses TLS 1.2 but does not use SNI or uses the wrong host name will get the wrong certificate. Specifically, the one for copelanddevelopment.com.
Yes, thanks. Noting it requires minimum openssl 1.1.1 (IIRC)
And, @com-guy, I "buried the lede" in my previous post but I think we are all curious about your versions of chrome and firefox and your iPhone. And, the details of the "cert error".
This is my first time setting up a reverse proxy. The proxy itself is pretty simple. It's the ssl part that I struggle with. I guess I just don't understand how it works well enough to diagnose it....
How do I find details about the error in chrome? when clicking site information from within chrome, it says the certificate is verified, but that the site isn't secure...
that's mixed content warning, due to sites loads a image by http http://showmypc.com/images/buttons/g3.png
that site supports https, so just change image link to https version of it.
In this context I think he mean firefox for iOS, which have different versioning (as apple forces use sapari engine for browsers in iOS)
firefox(ios) 39 is just release 2th this month.
No, orangepizza cleared that up. version 39 for android is from 2015. Same version number on iOS is recent. My bad. Of course, I did not know you just downloaded it either until just now You would be surprised at the age of some things we see on this forum.
not really surprised... I had a customer bring in a PC about a month ago that he bought new in 1997 running Win 95 for repairs. It had a program on it that was discontinued and he had no installation media to install on a newer PC. He had been using the modem in it to fax himself documents from it because he couldn't get a printer to work.
Thanks for all the help guys... I knew the answer here. I had run into that issue before, but had forgotten.
I'm not that experienced with Apple devices, but I've heard (also confirmed by reading the current Apple Developer Policy) that you're not allowed to "ship your own browser engine". So Firefox on iOS just uses WebKit which means that it's using the OS TLS stack and the OS trust store (or whatever is used by Apples WebKit framework...).
You would be surprised at the age of some things we see on this forum.